150 lines
5.4 KiB
C++
150 lines
5.4 KiB
C++
/* Copyright (c) 2020, 2024, Oracle and/or its affiliates.
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License, version 2.0,
|
|
as published by the Free Software Foundation.
|
|
|
|
This program is designed to work with certain software (including
|
|
but not limited to OpenSSL) that is licensed under separate terms,
|
|
as designated in a particular file or component or in included license
|
|
documentation. The authors of MySQL hereby grant you an additional
|
|
permission to link the program and your derivative works with the
|
|
separately licensed software that they have either included with
|
|
the program or referenced in the documentation.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License, version 2.0, for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA */
|
|
|
|
#ifndef SSL_INIT_CALLBACK_INCLUDED
|
|
#define SSL_INIT_CALLBACK_INCLUDED
|
|
|
|
#include <atomic>
|
|
#include <string>
|
|
|
|
#include <sql/auth/auth_common.h> /* ssl_artifacts_status */
|
|
|
|
/** The runtime value of whether admin TLS used different config or not */
|
|
extern std::atomic_bool g_admin_ssl_configured;
|
|
/**
|
|
The configure time value of whether admin TLS used different config or not.
|
|
The value for this is determined during system variable update.
|
|
True means that the ADMIN channel is using its own TLS configuration.
|
|
False means that the ADMIN channel is reusing the main channel's
|
|
TLS configuration.
|
|
To put this value into effect (and update @ref g_admin_ssl_configured)
|
|
one needs to execute the "ALTER INSTANCE RELOAD TLS" SQL command.
|
|
*/
|
|
extern bool opt_admin_ssl_configured;
|
|
|
|
extern std::string mysql_main_channel;
|
|
extern std::string mysql_admin_channel;
|
|
extern bool opt_tls_certificates_enforced_validation;
|
|
|
|
/** helper class to deal with optionally empty strings */
|
|
class OptionalString {
|
|
public:
|
|
OptionalString() : value_(), empty_(true) {}
|
|
OptionalString(const char *s) : value_(s ? s : ""), empty_(!s) {}
|
|
~OptionalString() = default;
|
|
OptionalString(const OptionalString &) = default;
|
|
|
|
const char *c_str() const { return empty_ ? nullptr : value_.c_str(); }
|
|
OptionalString &assign(const char *s) {
|
|
value_.assign(s ? s : "");
|
|
empty_ = !s;
|
|
return *this;
|
|
}
|
|
|
|
private:
|
|
std::string value_;
|
|
bool empty_;
|
|
};
|
|
|
|
/* Class to encasulate callbacks for init/reinit */
|
|
class Ssl_init_callback {
|
|
public:
|
|
virtual void read_parameters(OptionalString *ca, OptionalString *capath,
|
|
OptionalString *version, OptionalString *cert,
|
|
OptionalString *cipher,
|
|
OptionalString *ciphersuites,
|
|
OptionalString *key, OptionalString *crl,
|
|
OptionalString *crl_path,
|
|
bool *session_cache_mode,
|
|
long *session_cache_timeout) = 0;
|
|
|
|
virtual bool provision_certs() = 0;
|
|
|
|
virtual bool warn_self_signed_ca() = 0;
|
|
|
|
virtual ~Ssl_init_callback() = default;
|
|
};
|
|
|
|
/**
|
|
Class to encasulate callbacks for init/reinit
|
|
for client server connection port
|
|
*/
|
|
class Ssl_init_callback_server_main final : public Ssl_init_callback {
|
|
public:
|
|
void read_parameters(OptionalString *ca, OptionalString *capath,
|
|
OptionalString *version, OptionalString *cert,
|
|
OptionalString *cipher, OptionalString *ciphersuites,
|
|
OptionalString *key, OptionalString *crl,
|
|
OptionalString *crl_path, bool *session_cache_mode,
|
|
long *session_cache_timeout) override;
|
|
|
|
bool provision_certs() override;
|
|
|
|
bool warn_self_signed_ca() override;
|
|
|
|
~Ssl_init_callback_server_main() override = default;
|
|
|
|
private:
|
|
ssl_artifacts_status auto_detect_ssl();
|
|
};
|
|
|
|
/**
|
|
Class to encasulate callbacks for init/reinit
|
|
for admin connection port
|
|
*/
|
|
class Ssl_init_callback_server_admin final : public Ssl_init_callback {
|
|
public:
|
|
void read_parameters(OptionalString *ca, OptionalString *capath,
|
|
OptionalString *version, OptionalString *cert,
|
|
OptionalString *cipher, OptionalString *ciphersuites,
|
|
OptionalString *key, OptionalString *crl,
|
|
OptionalString *crl_path, bool *session_cache_mode,
|
|
long *session_cache_timeout) override;
|
|
|
|
bool provision_certs() override {
|
|
/*
|
|
No automatic provisioning. Always return
|
|
success to fallback to system variables.
|
|
*/
|
|
return false;
|
|
}
|
|
|
|
bool warn_self_signed_ca() override;
|
|
|
|
~Ssl_init_callback_server_admin() override = default;
|
|
};
|
|
|
|
extern Ssl_init_callback_server_main server_main_callback;
|
|
extern Ssl_init_callback_server_admin server_admin_callback;
|
|
|
|
/**
|
|
Helper method to validate values of --tls-version and --admin-tls-version
|
|
*/
|
|
bool validate_tls_version(const char *val);
|
|
|
|
enum class TLS_version { TLSv12 = 0, TLSv13 };
|
|
/**
|
|
Helper method to validate values of --ssl-cipher and --admin-ssl-cipher
|
|
*/
|
|
bool validate_ciphers(const char *option, const char *val, TLS_version version);
|
|
#endif // !SSL_INIT_CALLBACK_INCLUDED
|